Cisco Systems WSC2960XR48FPSI Private VLAN Port Configuration

Formore informationabout using theip sticky-arp global configuration and theip sticky-arp

interfaceconfiguration commands, see the commandreference for this release.

•Youcan configure VLAN maps on primary and secondary VLANs. However, we recommend that you

configurethe sameVLAN maps onprivate-VLAN primary andsecondary VLANs.

•Whena frame is Layer-2 forwarded within a private VLAN, the same VLAN map is applied at the

ingressside and at the egress side. When a frame is routed from inside a private VLAN to an external

port,the private-VLAN map is applied at the ingress side.

◦Forframes going upstream from a host port to a promiscuous port, the VLAN map configured on

thesecondary VLAN is applied.

◦Forframes going downstream from a promiscuous port to a host port, the VLAN map configured

onthe primaryVLAN is applied.

Tofilter out specific IP traffic for a private VLAN, you should apply the VLAN map to both the

primaryand secondary VLANs.

•Youcan apply router ACLs only on the primary-VLAN SVIs. The ACL is applied to both primary and

secondaryVLAN Layer 3 traffic.

•Althoughprivate VLANs provide host isolationat Layer 2, hosts cancommunicate with each other at

Layer3.

•PrivateVLANs support theseSwitched Port Analyzer (SPAN) features:

◦Youcan configure a private-VLAN port as a SPAN source port.

◦Youcan use VLAN-based SPAN (VSPAN)on primary, isolated, and community VLANs or use

SPANon only one VLAN to separately monitor egress or ingress traffic.

Private VLAN Port Configuration

Followthese guidelines when configuringprivate VLAN ports:

•Useonly the private VLAN configuration commands to assign ports to primary, isolated, or community

VLANs.Layer 2 access ports assigned to the VLANs that you configure as primary, isolated, or

communityVLANs are inactive while the VLAN is part of the private VLAN configuration. Layer 2

trunkinterfaces remain inthe STPforwarding state.

•Donot configureports that belong to a PAgP or LACP EtherChannel as private VLAN ports. While a

portis partof theprivate VLAN configuration,any EtherChannel configuration for itis inactive.

•EnablePort Fast and BPDU guard on isolated and community host ports to prevent STP loops due to

misconfigurationsand to speed up STP convergence. When enabled, STP applies the BPDU guard

featureto all Port Fast-configured Layer 2 LAN ports. Do not enable Port Fast and BPDU guard on

promiscuousports.

•Ifyou delete a VLAN used in the private VLAN configuration, the private VLAN ports associated with

theVLAN becomeinactive.

•PrivateVLAN ports canbe ondifferent network devices if the devices are trunk-connected and the

primaryand secondary VLANs havenot been removedfrom the trunk.

Catalyst 2960-XR Switch VLAN Configuration Guide, Cisco IOS Release 15.0(2)EX1

OL-29440-01 85

Configuring Private VLANs

Private VLAN Port Configuration